Skip to content

Instantly share code, notes, and snippets.

@drj11
Created September 26, 2014 14:17
Show Gist options
  • Save drj11/e85ca2d7503f28ebfde8 to your computer and use it in GitHub Desktop.
Save drj11/e85ca2d7503f28ebfde8 to your computer and use it in GitHub Desktop.
Copy of CVE-2014-6271.diff
Description: fix incorrect function parsing
Author: Chet Ramey <chet.ramey@case.edu>
Index: bash-4.2/bash/builtins/common.h
===================================================================
--- bash-4.2.orig/bash/builtins/common.h 2010-05-30 18:31:51.000000000 -0400
+++ bash-4.2/bash/builtins/common.h 2014-09-22 15:30:40.372413446 -0400
@@ -35,6 +35,8 @@
#define SEVAL_NOLONGJMP 0x040
/* Flags for describe_command, shared between type.def and command.def */
+#define SEVAL_FUNCDEF 0x080 /* only allow function definitions */
+#define SEVAL_ONECMD 0x100 /* only allow a single command */
#define CDESC_ALL 0x001 /* type -a */
#define CDESC_SHORTDESC 0x002 /* command -V */
#define CDESC_REUSABLE 0x004 /* command -v */
Index: bash-4.2/bash/builtins/evalstring.c
===================================================================
--- bash-4.2.orig/bash/builtins/evalstring.c 2010-11-23 08:22:15.000000000 -0500
+++ bash-4.2/bash/builtins/evalstring.c 2014-09-22 15:30:40.372413446 -0400
@@ -261,6 +261,14 @@
{
struct fd_bitmap *bitmap;
+ if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+ {
+ internal_warning ("%s: ignoring function definition attempt", from_file);
+ should_jump_to_top_level = 0;
+ last_result = last_command_exit_value = EX_BADUSAGE;
+ break;
+ }
+
bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
begin_unwind_frame ("pe_dispose");
add_unwind_protect (dispose_fd_bitmap, bitmap);
@@ -321,6 +329,9 @@
dispose_command (command);
dispose_fd_bitmap (bitmap);
discard_unwind_frame ("pe_dispose");
+
+ if (flags & SEVAL_ONECMD)
+ break;
}
}
else
Index: bash-4.2/bash/variables.c
===================================================================
--- bash-4.2.orig/bash/variables.c 2014-09-22 15:29:30.188411567 -0400
+++ bash-4.2/bash/variables.c 2014-09-22 15:30:40.372413446 -0400
@@ -347,12 +347,10 @@
temp_string[char_index] = ' ';
strcpy (temp_string + char_index + 1, string);
- parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
-
- /* Ancient backwards compatibility. Old versions of bash exported
- functions like name()=() {...} */
- if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
- name[char_index - 2] = '\0';
+ /* Don't import function names that are invalid identifiers from the
+ environment. */
+ if (legal_identifier (name))
+ parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
if (temp_var = find_function (name))
{
@@ -361,10 +359,6 @@
}
else
report_error (_("error importing function definition for `%s'"), name);
-
- /* ( */
- if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
- name[char_index - 2] = '('; /* ) */
}
#if defined (ARRAY_VARS)
# if 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment